2.4.23: user/kernel pointer bugs (vicam.c, w9968cf.c)

• Previous message: Trond Myklebust: "Re: 2.6.1-rc1-tiny2"
• Next in thread: Luca Risolia: "Re: 2.4.23: user/kernel pointer bugs (vicam.c, w9968cf.c)"
• Reply: Luca Risolia: "Re: 2.4.23: user/kernel pointer bugs (vicam.c, w9968cf.c)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: luca_ing@libero.it
Date:	07 Jan 2004 13:47:32 -0800

I think there are exploitable user/kernel pointer bugs in vicam.c and
w9968cf.c. The bugs are very simple, so I think the patches speak for
themselves. Thanks for looking at this, and my apologies if I've made
any mistakes. Let me know if you have any questions.

Best,
Rob

P.S. Both of these bugs were found using the source code verification
tool, CQual, developed by Jeff Foster, myself, and others, and available
from http://www.cs.umd.edu/~jfoster/cqual/.

--- drivers/usb/vicam.c.orig Wed Jan 7 13:26:01 2004
+++ drivers/usb/vicam.c Mon Jan 5 17:23:11 2004
@@ -601,12 +601,19 @@
         case VIDIOCSWIN:
                 {
 
- struct video_window *vw = (struct video_window *) arg;
- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ struct video_window vw;
 
- if ( vw->width != 320 || vw->height != 240 )
+ if (copy_from_user(&vw, arg, sizeof(vw)))
+ {
                                 retval = -EFAULT;
+ break;
+ }
+
+ DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
                         
+ if ( vw.width != 320 || vw.height != 240 )
+ retval = -EFAULT;
+
                         break;
                 }
 

--- drivers/usb/w9968cf.c.orig Wed Jan 7 13:32:28 2004
+++ drivers/usb/w9968cf.c Wed Jan 7 13:44:44 2004
@@ -3552,10 +3552,13 @@
 
         case VIDIOCSYNC: /* wait until the capture of a frame is finished */
         {
- unsigned int f_num = *((unsigned int *) arg);
+ unsigned int f_num;
                 struct w9968cf_frame_t* fr;
                 int err = 0;
 
+ if (copy_from_user(&f_num, arg, sizeof(f_num)))
+ return -EFAULT;
+
                 if (f_num >= cam->nbuffers) {
                         DBG(4, "Invalid frame number (%d). "
                                "VIDIOCMCAPTURE failed.", f_num)
@@ -3620,7 +3623,8 @@
         {
                 struct video_buffer* buffer = (struct video_buffer*)arg;
 
- memset(buffer, 0, sizeof(struct video_buffer));
+ if (clear_user(buffer, sizeof(struct video_buffer)))
+ return -EFAULT;
 
                 DBG(5, "VIDIOCGFBUF successfully called.")
                 return 0;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Previous message: Trond Myklebust: "Re: 2.6.1-rc1-tiny2"
• Next in thread: Luca Risolia: "Re: 2.4.23: user/kernel pointer bugs (vicam.c, w9968cf.c)"
• Reply: Luca Risolia: "Re: 2.4.23: user/kernel pointer bugs (vicam.c, w9968cf.c)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: ext3_orphan_del may double-decrement bh->b_count ... Nah, just a string of curses unfit for the general public, or even lkml. ... I've been trying to blame this one on various other bugs until ... > got itself not uptodate. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: RFD: Kernel release numbering ... that if a particular development cycle drags on for some reason, ... and certain bugs never got fixed in the previous release, ... release until they do another push. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [discuss] RFC: let x86_64 no longer define X86 ... > just test X86 for the rather large set of code that works fine on both ... The most important improvement would be to prevent such bugs and to have ... There had been need of rain for many days. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: RFD: Kernel release numbering ... Release the -rc kernel when it is stable. ... > And if they're worried about bugs then why are they running -rc's at all? ... * Maybe not on their live corporate database server though ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [kernel] Fix random crashes in x86-64 swsusp ... > suspend/resume isn't enabled in the configuration. ... > (if these occur very rarely, then doing this inline may of course also ... Maybe we should memset freed memory to zero so such bugs are ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)